babadeda | e2c83783d6ab57ac91d99bfb9d607d0b5537e305661406bbf2347c3af92d3464

General

Target

a43be7341e3d13810d20b9e64e329c83.exe
Size

6.4MB
MD5

a43be7341e3d13810d20b9e64e329c83
SHA1

ad582a30ba365885be34fe503c744088d08b4baa
SHA256

e2c83783d6ab57ac91d99bfb9d607d0b5537e305661406bbf2347c3af92d3464
SHA512

cf79fcf60158a33adb39351b4626e8012e737acf4633b882c75240b21480ac1cc91e811c8b351f6e499b689d15b87054cc185c5d54e8e0d628b8b13bfc3bd877
SSDEEP

98304:oSilBhaEFMX+MEGi6OEJ0ehjDhGSib2RDWBXW4Gd72eg7GpAadkBlsr1SFF0:KhaIRMEXehxitdogqtqBq9

Score

10^/10

babadeda gozi 1001 banker crypter isfb loader trojan

Malware Config

Extracted

Family

gozi

Botnet

1001

C2

update1.avast.com

zilbon.ws

update2.avira.com

lumpet.co

emerald.ws

ferroun.in

Attributes

base_path
/sreamble/
build
250207
dga_season
10
exe_type
loader
extension
.sre
server_id
12

rsa_pubkey.plain

serpent.plain

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

resource	yara_rule
behavioral1/files/0x00060000000143a8-195.dat	family_babadeda

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Executes dropped EXE 3 IoCs

pid	Process
2688	a43be7341e3d13810d20b9e64e329c83.tmp
2564	a43be7341e3d13810d20b9e64e329c83.tmp
2380	BouncyDotNET.exe

Loads dropped DLL 5 IoCs

pid	Process
1568	a43be7341e3d13810d20b9e64e329c83.exe
2612	a43be7341e3d13810d20b9e64e329c83.exe
2564	a43be7341e3d13810d20b9e64e329c83.tmp
2564	a43be7341e3d13810d20b9e64e329c83.tmp
2380	BouncyDotNET.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2564	a43be7341e3d13810d20b9e64e329c83.tmp
2564	a43be7341e3d13810d20b9e64e329c83.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2564	a43be7341e3d13810d20b9e64e329c83.tmp

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 2688	1568	a43be7341e3d13810d20b9e64e329c83.exe	28
PID 1568 wrote to memory of 2688	1568	a43be7341e3d13810d20b9e64e329c83.exe	28
PID 1568 wrote to memory of 2688	1568	a43be7341e3d13810d20b9e64e329c83.exe	28
PID 1568 wrote to memory of 2688	1568	a43be7341e3d13810d20b9e64e329c83.exe	28
PID 1568 wrote to memory of 2688	1568	a43be7341e3d13810d20b9e64e329c83.exe	28
PID 1568 wrote to memory of 2688	1568	a43be7341e3d13810d20b9e64e329c83.exe	28
PID 1568 wrote to memory of 2688	1568	a43be7341e3d13810d20b9e64e329c83.exe	28
PID 2688 wrote to memory of 2612	2688	a43be7341e3d13810d20b9e64e329c83.tmp	29
PID 2688 wrote to memory of 2612	2688	a43be7341e3d13810d20b9e64e329c83.tmp	29
PID 2688 wrote to memory of 2612	2688	a43be7341e3d13810d20b9e64e329c83.tmp	29
PID 2688 wrote to memory of 2612	2688	a43be7341e3d13810d20b9e64e329c83.tmp	29
PID 2688 wrote to memory of 2612	2688	a43be7341e3d13810d20b9e64e329c83.tmp	29
PID 2688 wrote to memory of 2612	2688	a43be7341e3d13810d20b9e64e329c83.tmp	29
PID 2688 wrote to memory of 2612	2688	a43be7341e3d13810d20b9e64e329c83.tmp	29
PID 2612 wrote to memory of 2564	2612	a43be7341e3d13810d20b9e64e329c83.exe	30
PID 2612 wrote to memory of 2564	2612	a43be7341e3d13810d20b9e64e329c83.exe	30
PID 2612 wrote to memory of 2564	2612	a43be7341e3d13810d20b9e64e329c83.exe	30
PID 2612 wrote to memory of 2564	2612	a43be7341e3d13810d20b9e64e329c83.exe	30
PID 2612 wrote to memory of 2564	2612	a43be7341e3d13810d20b9e64e329c83.exe	30
PID 2612 wrote to memory of 2564	2612	a43be7341e3d13810d20b9e64e329c83.exe	30
PID 2612 wrote to memory of 2564	2612	a43be7341e3d13810d20b9e64e329c83.exe	30
PID 2564 wrote to memory of 2380	2564	a43be7341e3d13810d20b9e64e329c83.tmp	31
PID 2564 wrote to memory of 2380	2564	a43be7341e3d13810d20b9e64e329c83.tmp	31
PID 2564 wrote to memory of 2380	2564	a43be7341e3d13810d20b9e64e329c83.tmp	31
PID 2564 wrote to memory of 2380	2564	a43be7341e3d13810d20b9e64e329c83.tmp	31

C:\Users\Admin\AppData\Local\Temp\a43be7341e3d13810d20b9e64e329c83.exe
"C:\Users\Admin\AppData\Local\Temp\a43be7341e3d13810d20b9e64e329c83.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Users\Admin\AppData\Local\Temp\is-0545A.tmp\a43be7341e3d13810d20b9e64e329c83.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0545A.tmp\a43be7341e3d13810d20b9e64e329c83.tmp" /SL5="$400E0,5898797,953344,C:\Users\Admin\AppData\Local\Temp\a43be7341e3d13810d20b9e64e329c83.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\a43be7341e3d13810d20b9e64e329c83.exe
    "C:\Users\Admin\AppData\Local\Temp\a43be7341e3d13810d20b9e64e329c83.exe" /VERYSILENT
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\is-5KGEU.tmp\a43be7341e3d13810d20b9e64e329c83.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-5KGEU.tmp\a43be7341e3d13810d20b9e64e329c83.tmp" /SL5="$500E0,5898797,953344,C:\Users\Admin\AppData\Local\Temp\a43be7341e3d13810d20b9e64e329c83.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe
        
        "C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe

Filesize
3.0MB

MD5
b2c4422bf53fe9c3f879b2adaeb39f56

SHA1
b86680698296f9bc244ca21497d8f7adb7f140aa

SHA256
2e3c6dbdee96b533c668c9ad731281d2ebf18f3eb1aec8e6efc3175dd28e7e8c

SHA512
8732fc79026258e196b9a359437c820440f7b79da48099548d5d4938058dbbe5837d08ef14b270b2c91137ce0a4b4e79b984f886f7378021d2d0152c912b97aa

Download Submit
C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe

Filesize
5.8MB

MD5
e70951807abdec39daefa9a8df9dec15

SHA1
15a7b0f9c04d5f6bba477d91b502b4e24c1127f6

SHA256
dee1253761af168e331e8909cf6afb20b40a95a34400d9717773a77258ac62e6

SHA512
bd87a44e078a9e589b70419f9ba876e067bc549679962faf0a5f96d5f0d0167654adb53b2b10e065de8f705bfa51b0fed09fb3ce28d5014e4260b96dc64fa624

Download Submit
C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\Lang\it\is-4LR6T.tmp

Filesize
5KB

MD5
9325aee138a4d9a15d651920fb403ffc

SHA1
19eb57cd989571fa8cd426cbd680430c0e006408

SHA256
9c8346c7f288e63933ebda42cbb874f76067c48198b01adfb63bccfa11970c35

SHA512
d3c0ccf217346e44436ac4f9db3e71b6d2eb152930005f019db5b58dcce923d94007e77fa5b938e182073c2e55163e886853b00e3fc22f135d70854120a218a8

Download Submit
C:\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\cds.xml

Filesize
304KB

MD5
2b622a85fd2b0b5531c86301818ceb2f

SHA1
5e1d127789e78683ce3deee1fd3e38f358bc50c2

SHA256
58489a55f9eb210b9e472ca21621ce544e03a2e026f0fa103c1a58102d39c025

SHA512
938d7ac9239568536a341c057a44142faad4921bbff5bcc76a89b0b4ed5343f324a46e6c533a9673434286673c4b5efbe4a8156d10c20a2760389ac785a34ce4

Download Submit
\Users\Admin\AppData\Local\Temp\is-0545A.tmp\a43be7341e3d13810d20b9e64e329c83.tmp

Filesize
3.1MB

MD5
8a24adf60923719e71306f56deb49ebc

SHA1
e098600fd5a98bc37d0d887e705a32a54bf4ae84

SHA256
221643457442624e98646e2e6f8a6ec7d8d79f9830d13cb168f69e60e69b0085

SHA512
dfbc2fcd389e07c4a2fcf7ce440f079022bc40c1b957c6bd89e7dc33695c0e80b5ecbcc823c44c68f80ce791ee065d39d7042b0579f736c786451f0183c6c02a

Download Submit
\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe

Filesize
3.9MB

MD5
6a2893e3b339c30e310621e43f95dce9

SHA1
7c0894efb1fec55acf8d44c9cf4d400975813a21

SHA256
2a43b0bc4490feef1f0176c97131fa073c8d7093e16b0f8f356a5bf8fb234a03

SHA512
cccd371e990e6cde58620943a5374d4ab82c0ef8c98e4bb2a53a3c22c2dccc20248568ba8d2ddb6bdad32f6332e3bd167c031b1c278391d4c6e884605d0a2523

Download Submit
\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\BouncyDotNET.exe

Filesize
3.4MB

MD5
0f52f805adef42d5d0456f566e43bc12

SHA1
79ca21a86270c940b72fbca19b365e52d828035d

SHA256
430b5ba6a3ec6b7a5c2e021b19afea3406dc7bb4007ceb46360ed4d12db12bb1

SHA512
d5ab40d77cf81b579035d0b2f2dd0817e0ca55166443a636d781e23f5566b5decf857344e1e3f50fca20729197d1ef12d693834079493dc3d402fa8f1c70aa72

Download Submit
\Users\Admin\AppData\Roaming\Bouncy for .NET Helper\qclp.dll

Filesize
3.8MB

MD5
4240767ecbcecd84f3c90d0ee889460c

SHA1
d390f9e165408864dda6c925dfe6627c557a6b24

SHA256
1d1e59b6a67e1f4ecc8516c384291655d4c51f7f91168e6b593f5f8919bffdc3

SHA512
89fe2e6cc6a1480d8a42efe2b694b3b677967b7656326fcf8453c7f484d92f450be65c6c2639cd08131dbc58e0d34ee696bf1b263227e34d2ac91c4aaa7aee61

Download Submit
memory/1568-15-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/1568-1-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2380-200-0x0000000000190000-0x00000000001A0000-memory.dmp

Filesize
64KB

Download
memory/2564-197-0x0000000000400000-0x0000000000730000-memory.dmp

Filesize
3.2MB

Download
memory/2612-11-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2612-199-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2688-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2688-13-0x0000000000400000-0x0000000000730000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing